SSI Injection (Server-side Include) is a server-side exploit technique
that allows an attacker to send code into a web application, which will
later be executed locally by the web server. SSI Injection exploits a
web application's failure to sanitize user-supplied data before they
are inserted into a server-side interpreted HTML file.
Before serving an HTML web page, a web server may parse and
execute Server-side Include statements before providing it to the
user. In some cases (e.g. message boards, guest books, or content
management systems), a web application will insert user-supplied
data into the source of a web page.
If an attacker submits a Server-side Include statement, he may have
the ability to execute arbitrary operating system commands, or
include a restricted file's contents the next time the page is served.
The following SSI tag can allow an attacker to get the root directory
listing on a UNIX based system.
< !--#exec cmd="/bin/ls /" -- >
The following SSI tag can allow an attacker to obtain database
connection strings, or other sensitive data contained within a .NET
To receive your Free Application
Vulnerability Assessment for testing of one attack vulnerability of your choice, please submit your payment of $1999.00 for a second SSI Injection attack vulnerability test.